b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                        Unauthorized and Insecure Internal\n                        Web Servers Are Connected to the\n                        Internal Revenue Service Network\n\n\n\n                                         August 26, 2008\n\n                              Reference Number: 2008-20-159\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           August 26, 2008\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Unauthorized and Insecure Internal Web Servers\n                             Are Connected to the Internal Revenue Service Network\n                             (Audit # 200720015)\n\n This report presents the results of our review to determine whether the Internal Revenue Service\n (IRS) is adequately controlling and securing its web servers. The audit focused on the security\n over internal web servers on the IRS network. This review was included in the Treasury\n Inspector General for Tax Administration Fiscal Year 2007 Annual Audit Plan and was part of\n the Information Systems Programs business unit\xe2\x80\x99s statutory requirements to annually review the\n adequacy and security of IRS technology.\n\n Impact on the Taxpayer\n A web server is a computer that contains the software necessary for a web site to operate. At the\n time of our review, 1,811 internal web servers on the IRS network had not been approved to\n connect to the network, and 2,093 internal web servers connected to the network had at least\n 1 high-, 1 medium-, or 1 low-risk security vulnerability. These unauthorized and insecure web\n servers placed both the computers and the entire IRS network at risk of unauthorized accesses to\n taxpayer and personally identifiable information.\n\n Synopsis\n The IRS requires that business units register all internal web sites and web servers with the\n Web Services Division in the Modernization and Information Technology Services organization.\n We obtained a September 2007 network scan from the IRS Computer Security Incident\n Response Center that identified 2,093 potential web servers connected to the IRS network. We\n compared the scan results to the web registration database and identified 1,811 web servers that\n\x0c                            Unauthorized and Insecure Internal Web Servers\n                        Are Connected to the Internal Revenue Service Network\n\n\n\nwere not in the web registration database. These 1,811 web servers were not authorized to\nconnect to the IRS network. We recognize that some of these unauthorized web servers could be\nlegitimate web servers supporting IRS operations. For example, the Enterprise Operations\norganization was able to show that 661 (36 percent) of the 1,811 web servers had a legitimate\nbusiness purpose.\nThe risk exists that the remaining 1,150 unauthorized web servers are being used for\nnon-business purposes. Due to resource constraints, we conducted only limited tests to identify\nnon-business web servers and found none. We did identify situations in which some\nunauthorized web servers were inadvertently running web services.\nWe attribute the existence of unauthorized web servers to 1) web server owners not registering\ntheir servers with the web registration program, and 2) responsibility for the web registration\nprogram remaining unassigned since September 2006. Lack of ownership over the web\nregistration program adversely affected the maintenance and inventory of the web registration\ndatabase. According to IRS procedures, if a web server is not registered, it might be blocked\nfrom delivering information to the network. Because no office had responsibility for the web\nregistration program, this requirement was not enforced, and web servers were allowed to be\nconnected without proper authorization and accountability.\nWeb servers can pose a security risk to the IRS network. To evaluate compliance with security\nguidance, we analyzed the September 2007 Computer Security Incident Response Center\nvulnerability scan, which identified 2,093 authorized and unauthorized web servers with at least\n1 high-, 1 medium-, or 1 low-risk security vulnerability. The scan report contained 540 web\nservers with at least 1 of 160 high-risk vulnerabilities. Unauthorized servers pose a greater risk\nbecause the IRS has no way to ensure that they will be continually configured in accordance with\nsecurity standards and patched1 when new vulnerabilities are identified. Malicious hackers or\ndisgruntled employees could exploit the vulnerabilities on these web servers to manipulate data\non the server or use the servers as a launching point to attack other computers on the network.\nIn addition to security vulnerabilities, the IRS was using 33 different web server software\npackages. We believe that using as few products as possible would limit security risks, such as\nmonitoring for security vulnerabilities, and control costs for licensing fees, training, and\nmaintenance.\n\nRecommendations\nWe recommended that the Chief Information Officer establish official ownership and assign\nresponsibilities for the web registration program, enforce IRS procedures to block unauthorized\n\n\n1\n A patch is a fix of a design flaw in a computer program. Patches must be installed or applied to the appropriate\ncomputer for the flaw to be corrected.\n                                                                                                                    2\n\x0c                        Unauthorized and Insecure Internal Web Servers\n                    Are Connected to the Internal Revenue Service Network\n\n\n\nweb servers from providing data over the IRS network, and require an annual scan of web\nservers and comparison to the web registration database to identify unauthorized web servers.\nUnauthorized web servers should be immediately disconnected from the IRS network, and\ninappropriate web sites should be referred to the Treasury Inspector General for Tax\nAdministration Office of Investigations. In addition, web server owners should be required to\nrevalidate the need for the servers annually and immediately notify the Chief Information Officer\nupon decommission of any web server. The Chief Information Officer should also require\nquarterly network scans of web servers to measure compliance with security requirements and\nlimit the number of approved web software packages used in the non-modernized environment.\n\nResponse\nThe Chief Information Officer agreed with our recommendations. The Associate Chief\nInformation Officer, Enterprise Operations, was designated as the responsible official for the\nweb registration program and database. The IRS will identify unauthorized web servers and\ncreate policies and procedures to prohibit them from providing data over the IRS network. Also,\nthe Computer Security Incident Response Center will perform recurring discoveries of enterprise\nassets and provide an annual report to the web registration business owner to reconcile\ndiscovered assets with those currently registered. Unauthorized web servers will be\ndisconnected, and web sites with inappropriate content will be referred to the Treasury Inspector\nGeneral for Tax Administration Office of Investigations. In addition, the Computer Security\nIncident Response Center will perform quarterly security assessment scans to measure\ncompliance with security requirements, and business owners and system administrators will\neliminate the vulnerabilities. Lastly, the IRS will investigate the web software packages in use\nand work with the Office of Enterprise Architecture to create a list of approved software.\nManagement\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                                3\n\x0c                                Unauthorized and Insecure Internal Web Servers\n                            Are Connected to the Internal Revenue Service Network\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Unauthorized Web Servers on the Network Pose Significant Risks\n          to Data Protection and Employee Productivity.............................................Page 3\n                    Recommendations 1 through 3:.........................................Page 6\n\n          Security Weaknesses Were Prevalent on All Web Servers Connected\n          to the Network...............................................................................................Page 7\n                    Recommendations 4 and 5: ..............................................Page 10\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 11\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 14\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 15\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 16\n\x0c            Unauthorized and Insecure Internal Web Servers\n        Are Connected to the Internal Revenue Service Network\n\n\n\n\n                    Abbreviations\n\nCSIRC         Computer Security Incident Response Center\nIRS           Internal Revenue Service\nMITS          Modernization and Information Technology Services\n\x0c                            Unauthorized and Insecure Internal Web Servers\n                        Are Connected to the Internal Revenue Service Network\n\n\n\n\n                                            Background\n\nA web server is a computer that contains the software necessary for a web site to operate. Web\nsites provide an organization with the means to contact stakeholders, customers, and employees\nfor sharing information, communicating with others, and conducting business. The potential for\ninformation sharing is enormous because the Internet is made up of more than 1 billion users and\nmore than 165 million web sites. The Internet is based on the premise of open accessibility.\nUsing the principles of the Internet, organizations can create internal web sites to share\ninformation with employees and allow them to process work. Internal web sites are less\nexpensive to implement than a private network, which is based on proprietary protocols, and are\neasily accessible by employees. Similar to public web sites, connecting to internal web sites and\ntaking advantage of their benefits also present security risks. These risks include the\nunauthorized alteration of web site content, disruption of employee access to the web sites and\ncomputer operations, and unauthorized access to web server data as well as data on the network\nto which the web servers are connected.\nInternal web sites are generally protected from outsiders by an organization\xe2\x80\x99s firewall1\ncomputers. This protection could give an organization a false sense of security. During the\nBlack Hat Security Conference2 in August 2007, two leading security professionals demonstrated\nthat advancements in security research will allow hackers to exploit flaws in web browsers and\nemployees\xe2\x80\x99 use of web browsers to infiltrate and attack internal web servers with greater ease.\nThey further stated that organizations are unintentionally leaving the door of their information\ntechnology operations unlocked by failing to adequately protect their internal web servers. They\nconcluded that organizations should begin defending their internal web servers in the same\nmanner as they safeguard their external web sites.\nIn September 2007, the Internal Revenue Service (IRS) issued a comprehensive security policy\non web servers and web software to better identify security controls and requirements for web\nservers. The policy established minimum security controls to safeguard both internal and\nexternal web servers.\nThis review focused on internal web servers, and any use of the term \xe2\x80\x9cweb servers\xe2\x80\x9d in this report\nrefers to internal web servers unless otherwise noted. The review was performed at the IRS field\n\n1\n  A firewall is a computer with hardware and software that is designed to restrict access to and from an\norganization\xe2\x80\x99s internal network resources.\n2\n  Black Hat is a computer security conference held throughout the world to discuss computer security issues and\nevents as well as train and inform individuals about security threats that might be present on their computer\nnetworks. Black Hat generally consists of computer hackers, security experts, government officials, and network\nadministrators.\n                                                                                                          Page 1\n\x0c                         Unauthorized and Insecure Internal Web Servers\n                     Are Connected to the Internal Revenue Service Network\n\n\n\noffices in Dallas, Texas, and Oakland, California, and at the National Headquarters in\nNew Carrollton, Maryland, in the Office of the Chief Information Officer during the period\nSeptember 2007 through May 2008. We conducted this performance audit in accordance with\ngenerally accepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit objective.\nDetailed information on our audit objective, scope, and methodology is presented in Appendix I.\nMajor contributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                            Page 2\n\x0c                             Unauthorized and Insecure Internal Web Servers\n                         Are Connected to the Internal Revenue Service Network\n\n\n\n\n                                       Results of Review\n\nUnauthorized Web Servers on the Network Pose Significant Risks to\nData Protection and Employee Productivity\nThe IRS requires that business units register all internal web sites and servers with the Web\nServices Division in the Modernization and Information Technology Services (MITS)\norganization. The registration process\xe2\x80\x93which was effective on April 1, 2006\xe2\x80\x93ensures that a site\nand server are a known entity on the network, an executive-level sponsor has approved the web\nserver for internal use, and a system administrator and webmaster have been designated to ensure\nthat the server\xe2\x80\x99s configurations and content are maintained and updated when necessary. This\nrequirement is the starting point for ensuring that information residing on the IRS network is\nproperly protected and inventoried and data are not compromised.\nTo support the registration process, the IRS established a database that contains information on\nall registered web sites and web servers. The information captured includes executive\nsponsorship, web administrator, content manager, web site name, web site purpose, specific\nmachine name, operating system, and web software. As of August 2007, the IRS web\nregistration database contained 2,878 active web servers.\nWe obtained a network scan completed in September 2007 by the IRS Computer Security\nIncident Response Center (CSIRC) to identify all possible web servers actually connected to the\nIRS network. The scan identified 2,093 potential web servers3 that were connected to the IRS\nnetwork. We compared the CSIRC scan results to the web registration database to determine\nhow many web servers on the network had been registered as required. Figure 1 presents the\nresults of the comparison.\n\n\n\n\n3\n  Due to the nature of network scans, we did not have absolute assurance that the 2,093 web servers are truly web\nservers. A network scan generally uses an automated program that attempts to access devices on the network and\nidentify certain characteristics based on a set of criteria. This CSIRC network scan was set to identify characteristics\ntypical for web servers. The possibility exists that other devices could have been identified as web servers, such as\nmulti-functional devices. However, we are confident that most, if not all, of the devices are web servers because the\nSeptember 2007 scan was refined from an earlier scan by eliminating over 7,400 peripheral devices, such as printers,\nrouters, and switches, and lesser known web server software packages.\n                                                                                                               Page 3\n\x0c                               Unauthorized and Insecure Internal Web Servers\n                           Are Connected to the Internal Revenue Service Network\n\n\n\n                Figure 1: Comparison of Web Registration Database Data and\n                                 CSIRC Web Server Scan\n\n\n\n         The web registration                                                          The September 2007\n            database as of                                                              CSIRC web server\n        August 2007 contained                                                             scan identified\n          2,878 web servers.                                                            2,093 web servers.\n          The yellow portion                                     CSIRC                   The blue portion\n                                             Web\n         represents 2,596 web                                   scan for               represents 1,811 web\n                                         registration\n           servers in the web                                     web               servers in the CSIRC web\n                                          database\n       registration database that                               servers              server scan that did not\n       did not match the CSIRC                                                            match the web\n            web server scan.                                                          registration database.\n\n\n\n                                          The green portion represents\n                                     282 web servers that were recorded on\n                                     both the web registration database and\n                                          the CSIRC web server scan.\n\n\n    Source: Treasury Inspector General for Tax Administration match of the web registration database, as of\n    August 2007, to the September 2007 CSIRC web server scan.\n\nOur comparison of the web registration database to the CSIRC web server scan found that only\n282 web servers were recorded in both data sources, shown as the green portion in Figure 1. We\nidentified 2,596 web servers in the registration database that were not found by the CSIRC scan,\nshown as the yellow portion in Figure 1. It is likely that many of these web servers were external\nweb servers, no longer in existence, inaccurately recorded on the web registration database, or\nchanged since being registered but not updated on the web registration database.\nOf greater concern are the 1,811 web servers identified by the CSIRC scan that were not\nincluded in the web registration database, shown as the blue portion in Figure 1. These\n1,811 web servers represent those that have not been authorized, yet are connected to the IRS\nnetwork. However, the unauthorized web servers could be legitimate servers supporting IRS\noperations. For example, during our review, the Enterprise Operations organization4 within the\nMITS was able to demonstrate that 661 (36 percent) of the 1,811 web servers had legitimate\nbusiness purposes.\nDue to time constraints, we conducted only limited tests to determine whether the remaining\n1,150 (1,811 \xe2\x80\x93 661) unauthorized web servers were being used for non-business purposes and\n\n4\n  The Enterprise Operations organization provides efficient, cost-effective, secure and highly reliable computing\n(server and mainframe) services for all IRS business entities and taxpayers.\n                                                                                                              Page 4\n\x0c                            Unauthorized and Insecure Internal Web Servers\n                        Are Connected to the Internal Revenue Service Network\n\n\n\nfound none. We did find some that were operating unintentionally as web servers. An\nunintentional web server might exist when a system administrator inadvertently misconfigures a\ncomputer to perform as a web server or is unaware that web server capabilities are installed by\ndefault.5 During our review, we were able to identify whether web servers were laptop and\ndesktop computers6 based on the computer naming convention. In the population of laptop and\ndesktop computers, we identified the location of 54 unauthorized web servers. We judgmentally\nselected 19 of these 54 computers at 3 IRS offices and confirmed that they were valid computers\non the network but were unintentionally running web services. We advised local system\nadministrators of this situation, and they took actions to disable the web server capability of the\ncomputers. Because the remaining 35 laptop and desktop computers were dispersed throughout\nthe country, we were unable to physically verify whether these computers were legitimate web\nservers.7 We referred the remaining computers to the CSIRC for further review to determine\nwhether these computers are legitimate computers and authorized web servers.\nWhen we started planning this audit in June 2007, officials from the MITS organization were\nunable to tell us which office had ownership of the web registration program. As previously\ndiscussed, the existing procedures for the web registration process cited the Web Services\nDivision as the responsible office. However, discussions with MITS organization personnel,\nincluding a former Web Services Division employee, indicated that the Web Services Division\nwas disbanded in September 2006 and its program areas were dispersed to other MITS\norganization offices.\nThe MITS organization did not transfer ownership of the web registration program when the\nWeb Services Division was disbanded in September 2006. Of greater concern, during the course\nof our audit\xe2\x80\x93when the MITS organization recognized the lack of program ownership\xe2\x80\x93it still had\nnot decided which of its offices should have responsibility for the program. While MITS\norganization officials did inform us that the web registration program will be taken over by the\nEnterprise Networks organization,8 as of April 2008 we were unable to obtain supporting\ndocumentation that this transfer was approved and in effect. We believe that lack of ownership\n\n5\n  The following is an illustration of an unintentional web server: Internet Information Services 5.0 was installed on\nMicrosoft 2000 Server by default when the operating system was loaded onto server hardware. As such, any\nWindows 2000 Server built that uses default settings, be it a file server, print server, or domain controller, would\nhave the Internet Information Services 5.0 services installed, running, and listening for calls on the networks.\nMicrosoft addressed this concern by disabling the default installation of Internet Information Services 6.0 on its\nWindows Server 2003.\n6\n  While there is no definitive rule that web sites must operate on servers, generally web servers should be computers\ndesignated as servers rather than employee workstations. We believe that laptop and desktop computers assigned to\nindividual employees might be more indicative of unintentional web servers.\n7\n  Among the 35 laptop and desktop computers were 21 computers that supported a Wage and Investment Division\ncustomer service program in different IRS field offices. While we were unable to physically verify these computers,\nwe were able to connect with them and validate their purposes.\n8\n  The Enterprise Networks organization serves to positively satisfy IRS business units\xe2\x80\x99 requirements for all forms of\nelectronic communications in the most efficient and effective manner.\n                                                                                                             Page 5\n\x0c                            Unauthorized and Insecure Internal Web Servers\n                        Are Connected to the Internal Revenue Service Network\n\n\n\nover the web registration program adversely affected the maintenance and inventory of the web\nregistration database. According to IRS procedures, unregistered web servers might be blocked\nfrom delivering information to the network. Because no office had been given responsibility for\nthe web registration program since September 2006, this requirement was not enforced, and web\nserver owners were allowed to connect their web servers to the IRS network without proper\nauthorization and accountability.\nOther organizations under the Chief Information Officer had acknowledged that the web\nregistration database was inaccurate. In August 2007, the Applications Development\norganization9 within the MITS reviewed a random sample of 45 computer helpdesk tickets\nrelating to internal web sites and found that 8 of the 45 sites were not registered on the web\nregistration database.\n\nRecommendations\nThe Chief Information Officer should:\nRecommendation 1: Establish official ownership of the web registration program and assign\nresponsibility for the web registration process and the web registration database. Policies and\nprocedures should be updated to reflect the change of ownership.\n        Management\xe2\x80\x99s Response: The Chief Information Officer agreed with this\n        recommendation. The Associate Chief Information Officer, Enterprise Operations, was\n        designated as the official for the web registration program and web registration database.\n        Policies and procedures will be updated to reflect the change of ownership.\nRecommendation 2: Enforce IRS procedures to block unauthorized web servers from\nproviding data over the IRS network. We recognize that some web servers used for legitimate\nbusiness purposes might be temporarily blocked during this effort. In these instances, web server\nowners will have to quickly obtain formal authorization and be reconnected to the network. We\nbelieve that blocking the unauthorized web servers is the most effective and efficient approach to\nobtaining an accurate inventory of authorized web servers.\n        Management\xe2\x80\x99s Response: The Chief Information Officer agreed with this\n        recommendation. The IRS will take steps to identify unauthorized web servers and will\n        create a policy and procedure to prohibit them from providing data over the IRS network.\n        The IRS will also establish a process to accommodate legitimate web servers affected by\n        this recommendation.\nRecommendation 3: Require an annual scan of web servers and compare the scan results to\nthe web registration database. Unauthorized web servers should be immediately disconnected\n\n9\n The Application Development organization serves as the focal point for the IRS to define, design, build, test,\ndeliver, and maintain integrated information applications systems for developmental and production environments.\n                                                                                                          Page 6\n\x0c                            Unauthorized and Insecure Internal Web Servers\n                        Are Connected to the Internal Revenue Service Network\n\n\n\nfrom the IRS network architecture, and any web site identified with inappropriate content should\nbe referred to the Treasury Inspector General for Tax Administration Office of Investigations. In\naddition, owners of registered web servers should be required to revalidate the need for the web\nservers annually and immediately notify the Chief Information Officer when web servers are\ndecommissioned.\n        Management\xe2\x80\x99s Response: The Chief Information Officer agreed with this\n        recommendation. The CSIRC will provide an annual report to the web registration\n        database business owner to reconcile the assets. The IRS will compare the annual scans\n        run by the CSIRC to the web server database and disconnect unauthorized web servers.\n        Web sites identified with inappropriate content will be referred to Treasury Inspector\n        General for Tax Administration Office of Investigations. The IRS will also develop a\n        process to ensure that registered web server owners revalidate the need for the web\n        servers annually and provide notification when web servers are decommissioned.\n\nSecurity Weaknesses Were Prevalent on All Web Servers Connected\nto the Network\nLack of program ownership and an inaccurate inventory can negatively affect the overall security\nof web servers on the network. However, with or without an inventory, the IRS must be vigilant\nin maintaining adequate security controls over web servers.\nOn September 14, 2007, the Cybersecurity organization within the MITS issued a comprehensive\npolicy to implement minimum security controls to safeguard internal web servers. In addition to\nproviding configuration guidance on web servers, the policy established roles and responsibilities\nover web server security. For example, system owners have overall responsibility for the web\nservers and should work with system administrators to ensure proper server configurations. The\nsystem owners\xe2\x80\x99 information system security staffs should provide the necessary coordination to\nensure that plans for bringing existing web servers into compliance with security procedures are\ndeveloped and communicated to IRS management. In addition, security specialists in the\nCybersecurity organization are responsible for ensuring that system administrators and other\npersonnel having daily operational responsibilities for IRS web servers comply with the security\nrequirements.\nPrior to issuance of this specific guidance, the IRS had basic security requirements on server\nconfigurations, which included web servers. In general, we found that the new policies and\nprocedures were consistent with the National Institute of Standards and Technology\xe2\x80\x99s10\nrecommended security controls over web servers.\n\n\n10\n  The National Institute of Standards and Technology, under the Department of Commerce, is responsible for\ndeveloping standards and guidelines for providing adequate information security for all Federal Government agency\noperations and assets.\n                                                                                                         Page 7\n\x0c                            Unauthorized and Insecure Internal Web Servers\n                        Are Connected to the Internal Revenue Service Network\n\n\n\nTo evaluate compliance with security guidance, we obtained a CSIRC vulnerability scan of web\nservers conducted in September 2007. This scan identified 2,093 web servers with at least\n1 security vulnerability. The scan report contained:\n         - 540 web servers with at least 1 of 160 high-risk vulnerabilities,\n         - 1,101 web servers with at least 1 of 117 moderate-risk vulnerabilities, and\n         - 2,092 web servers with at least 1 of 135 low-risk vulnerabilities.\n\nThe number of web servers did not equal 2,093 because most web servers contained at least\n1 high-, 1 medium-, and 1 low-risk vulnerability.\n\nTwo examples of high-risk security vulnerabilities identified on the 540 web servers were\npassword and buffer overflow weaknesses.11\n     \xe2\x80\xa2   62 web servers contained at least 1 high-risk vulnerability involving passwords.\n         Specifically, the web servers had a blank password, did not require a password, and/or\n         had a password that was the same as the username. These vulnerabilities significantly\n         increased the risk that unauthorized users could access the web servers to alter the\n         servers\xe2\x80\x99 contents, copy data, install malicious programs for fraudulent purposes, or attack\n         other computers on the network. Attacking other computers could provide access to\n         taxpayer and personally identifiable information.\n     \xe2\x80\xa2   130 web servers contained at least 1 high-risk vulnerability that could allow hackers to\n         exploit a buffer overflow. Buffer overflows cause the software to react in an undesigned\n         manner. A disgruntled employee could exploit buffer overflow vulnerabilities with\n         carefully crafted executable commands as part of the invalid data and gain control over\n         the web server. With full control, the individual could delete or copy the contents of the\n         web server or attack other computers on the network, similar to the effects of password\n         deficiencies discussed above.\nUnauthorized servers pose a greater risk because the IRS has no way to ensure that they will be\ncontinually configured in accordance with security standards and patched12 when new\nvulnerabilities are identified. Malicious hackers or employees could exploit the vulnerabilities\non these web servers to manipulate data on the servers or to use the servers as launch points to\nattack other computers connected to the network.\nWe believe that these web servers had security weaknesses primarily because employees were\nnot performing their duties as required. Specifically, system owners were not providing overall\n\n\n11\n  Buffer overflows are caused by inputting invalid data into web servers.\n12\n  A patch is a fix of a design flaw in a computer program. Patches must be installed or applied to the appropriate\ncomputer for the flaw to be corrected.\n                                                                                                             Page 8\n\x0c                            Unauthorized and Insecure Internal Web Servers\n                        Are Connected to the Internal Revenue Service Network\n\n\n\nsecurity emphasis over their own systems to ensure secure configurations, system administrators\ndid not configure or maintain web servers in accordance with security guidance, and security\nspecialists were not monitoring web servers to identify noncompliant servers.\nWe acknowledge that compliance with security requirements was probably affected by the\ntiming of the issuance of the security policies and procedures for web servers. During our\nreview, security specialists within the Office of Cybersecurity started working with local system\nadministrators and system owners to resolve security weaknesses identified by the\nSeptember 2007 CSIRC scan of vulnerable web servers. However, another network scan for\nservers completed in March 2008 showed that, of the 2,093 web servers previously identified\nwith security vulnerabilities from the September 2007 scan, 1,936 still had at least 1 security\nvulnerability. The March 2008 vulnerability scan report contained 437 web servers with\nhigh-risk vulnerabilities and 699 web servers with moderate-risk vulnerabilities. While some\nimprovements have been made, continued efforts are needed to ensure that security\nvulnerabilities are corrected or mitigated.\nIn addition to security vulnerabilities on web servers, we were concerned about the number of\nweb software packages being used on the servers. We attempted to obtain a list of web software\npackages the IRS had approved for its web servers. Officials from the MITS organization\ninformed us that it does not maintain a list of approved web software packages outside of the\nmodernized environment. For the modernized web servers, the Office of Enterprise Architecture\nhas approved three web software packages for use: Microsoft\xc2\xae Internet Information Server,\nIBM WebSphere\xc2\xae Application Server, and Oracle\xc2\xae web software.\nAccording to IRS web server security policies and procedures, only web server products and\nplatforms identified by the Office of Enterprise Architecture should be used, and products and\nassociated platforms not approved by the Office of Enterprise Architecture require a formal\nwritten waiver. The security procedures also provide specific web software security\nrequirements for Microsoft\xc2\xae Internet Information Server, IBM WebSphere\xc2\xae Application Server,\nMicrosoft\xc2\xae .NET Framework, Apache\xe2\x84\xa213 HTTP Server, and Apache\xe2\x84\xa2 Tomcat Server.\nThe June 2007 CSIRC network scan identified 2,568 potential web servers connected to the IRS\nnetwork. Among the web software packages included in the 2,568 web servers were:\n     \xe2\x80\xa2   Microsoft\xc2\xae Internet Information Server \xe2\x80\x93 1,393.\n     \xe2\x80\xa2   Apache\xe2\x84\xa2 \xe2\x80\x93 827.\n     \xe2\x80\xa2   Oracle\xc2\xae web software \xe2\x80\x93 15.\nThe remaining 333 web servers were running 30 other web server software packages. Included\nin the 30 software packages was embedded web software associated with hardware devices.\n\n13\n  Apache\xe2\x84\xa2 is free software that is typically bundled with most UNIX operating systems and works with other\napplications including IBM WebSphere\xc2\xae and Oracle\xc2\xae as a component of their application servers. Security policies\nand procedures over web servers provide configuration guidance for Apache web software.\n                                                                                                         Page 9\n\x0c                         Unauthorized and Insecure Internal Web Servers\n                     Are Connected to the Internal Revenue Service Network\n\n\n\nWhile having 33 different web server software packages might be justified, we believe that using\nas few products as possible would limit security risks, such as monitoring for security\nvulnerabilities due to software deficiencies and patching known security vulnerabilities, and\ncontrol costs, such as licensing fees, training money, and maintenance costs.\n\nRecommendations\nThe Chief Information Officer should:\nRecommendation 4: Require quarterly network scans of web servers to measure compliance\nwith security requirements. These scan results should be shared with business unit executives as\nwell as local system administrators to ensure timely tracking and resolution of the vulnerabilities.\nRepeated noncompliance should be referred to managers of the local web administrators for\nperformance evaluation purposes.\n       Management\xe2\x80\x99s Response: The Chief Information Officer agreed with this\n       recommendation. The CSIRC will perform quarterly security assessments of web servers\n       to measure compliance with security requirements, and the IRS will review the scans and\n       share the results with business unit executives and local administrators. Business owners\n       and system administrators must eliminate the vulnerabilities.\nRecommendation 5: Formally limit the number of approved web software packages for web\nservers used in the non-modernized environment.\n       Management\xe2\x80\x99s Response: The Chief Information Officer agreed with this\n       recommendation. The IRS will investigate the web server packages currently in use and\n       work with the Office of Enterprise Architecture to create a list of approved software.\n       Business owners will be accountable for adhering to the list of approved software.\n\n\n\n\n                                                                                            Page 10\n\x0c                        Unauthorized and Insecure Internal Web Servers\n                    Are Connected to the Internal Revenue Service Network\n\n\n\n                                                                                   Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS is adequately securing and\ncontrolling its web servers. The audit focused on the security of internal IRS web servers on the\nIRS network. To accomplish our objective, we:\nI.     Determined whether the IRS was properly accounting for and controlling its web servers.\n       A. Evaluated policies and procedures over the ownership, inventory, and accountability\n          of web servers.\n           1. Identified IRS policies and procedures over asset management for web servers.\n           2. Determined compliance with policies and procedures established to ensure that all\n              web servers are identified and controlled.\n       B. Identified and obtained sources of web server inventory records. We obtained the\n          following sources of information:\n           1. CSIRC scan report, dated June 2007, that listed 2,568 web servers.\n           2. CSRIC scan report, dated September 2007, that listed 2,093 web servers.\n           3. CSRIC scan report, dated March 2008, that listed 1,937 web servers.\n           4. Enterprise Operations organization spreadsheet, dated October 2007, that included\n              1,008 web servers.\n           5. Enterprise Services organization web registration database, dated August 2007,\n              that contained 2,878 active web servers. We validated the reliability and accuracy\n              of the web registration database by comparing it to the CSIRC scan report dated\n              September 2007.\n       C. Coordinated with the MITS organization to identify ownership, location, business\n          need, and purpose for the 2,093 web servers identified in the September 2007 CSIRC\n          scan.\n           1. Identified 1,811 unauthorized web servers by matching the September 2007\n              CSIRC scan results to the web registration database.\n           2. Coordinated with the Enterprise Operations organization and identified 1,150 web\n              servers not owned by the Enterprise Operations organization and/or registered\n              with the web registration program.\n\n\n                                                                                         Page 11\n\x0c                            Unauthorized and Insecure Internal Web Servers\n                        Are Connected to the Internal Revenue Service Network\n\n\n\n             3. Researched the 1,150 web servers on the IRS online Enterprise System\n                Management system1 to identify contact point and location. We judgmentally\n                selected 19 computers at 3 IRS offices and confirmed whether they were valid\n                computers on the network but were unintentionally running web servers. The\n                three offices visited were the IRS field offices in Dallas, Texas, and\n                Oakland, California, and the National Headquarters in New Carrollton, Maryland.\n                We used a judgmental sample because we did not plan to project the audit results.\n             4. For those web servers for which ownership could not be identified by the\n                Enterprise Operations organization or our own research, referred the list to the\n                MITS Program Oversight organization to determine the best approach to identify\n                organizations responsible for the web servers.\n        D. Identified 33 different web software packages connected to the IRS network from the\n           June 2007 CSIRC scan with 2,568 web servers. We used the June 2007 CSIRC scan\n           because the September 2007 CSIRC scan did not include identification of web\n           software packages.\n             1. Obtained names of approved web software from the Office of Enterprise\n                Architecture and compared them to the list of web software identified in the\n                CSIRC scan of 2,568 web servers.\n             2. Obtained feedback from the MITS organization on its perspective on web\n                software usage.\nII.     Determined whether the IRS was adequately securing web servers.\n        A. Evaluated policies and procedures for security over web servers. We compared\n           Internal Revenue Manual section 10.8.42 v17, entitled Web Server and Web\n           Applications Security, to the National Institute of Standards and Technology2 Guide\n           for Assessing the Security Controls in Federal Information Systems (Special\n           Publication 800-53).\n        B. Analyzed available vulnerability scans.\n             1. Identified those web servers that failed the June 2007 and March 2008 CSIRC\n                vulnerability scans with high-, medium-, and/or low-risk vulnerabilities.\n\n\n\n\n1\n  The IRS online Enterprise System Management system provides design, development, deployment, and\noperational support for the enterprise-wide management of IRS computers.\n2\n  The National Institute of Standards and Technology, under the Department of Commerce, is responsible for\ndeveloping standards and guidelines for providing adequate information security for all Federal Government agency\noperations and assets.\n                                                                                                        Page 12\n\x0c             Unauthorized and Insecure Internal Web Servers\n         Are Connected to the Internal Revenue Service Network\n\n\n\n2. Determined whether the CSIRC followed up with server owners on web servers\n   with high-risk vulnerabilities, resolved the weaknesses, and identified why the\n   vulnerabilities existed.\n3. Determined whether the CSIRC conducted regular scans of the network to\n   identify unauthorized web servers, non-standardized web software, or vulnerable\n   web servers.\n\n\n\n\n                                                                            Page 13\n\x0c                        Unauthorized and Insecure Internal Web Servers\n                    Are Connected to the Internal Revenue Service Network\n\n\n\n                                                                               Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nPreston B. Benoit, Acting Assistant Inspector General for Audit (Information Systems Programs)\nSteve Mullins, Director\nKent Sagara, Audit Manager\nDavid Brown, Senior Auditor\nLouis Lee, Senior Auditor\nAbraham Millado, Senior Auditor\nMidori Ohno, Senior Auditor\nWilliam Simmons, Senior Auditor\nStasha Smith, Senior Auditor\n\n\n\n\n                                                                                      Page 14\n\x0c                      Unauthorized and Insecure Internal Web Servers\n                  Are Connected to the Internal Revenue Service Network\n\n\n\n                                                                          Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nAssociate Chief Information Officer, Applications Development OS:CIO:AD\nAssociate Chief Information Officer, Cybersecurity OS:CIO:C\nAssociate Chief Information Officer, Enterprise Networks OS:CIO:EN\nAssociate Chief Information Officer, Enterprise Operations OS:CIO:EO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Chief Information Officer OS:CIO\n\n\n\n\n                                                                                Page 15\n\x0c          Unauthorized and Insecure Internal Web Servers\n      Are Connected to the Internal Revenue Service Network\n\n\n\n                                                   Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 16\n\x0c    Unauthorized and Insecure Internal Web Servers\nAre Connected to the Internal Revenue Service Network\n\n\n\n\n                                                   Page 17\n\x0c    Unauthorized and Insecure Internal Web Servers\nAre Connected to the Internal Revenue Service Network\n\n\n\n\n                                                   Page 18\n\x0c    Unauthorized and Insecure Internal Web Servers\nAre Connected to the Internal Revenue Service Network\n\n\n\n\n                                                   Page 19\n\x0c'